14 May 2018

F5 BIG-IP ASM – Policy Tuning and Violations

Web
Application Firewalls (WAF)
should be configured properly to understand web applications
logic because if
it’s not well-configured, intruders will be able to get access to
applications. This
is the main reason why developers should take part into WAF
deployment projects.
However, developers
sometimes want to add lots of security codes into applications or
even
worse,
they don’t want to know anything about security. From
my point of view, developers should take part into WAF deployment
projects but security should be managed by security engineers. I
mean, developers should improve applications with new features and
enhancements while security engineers should protect applications.

Organizations
don’t take advantage of lots of security toolslikeAntivirus,
network
firewalls, Web
Application Firewalls (WAF),Security
Information and Event Management (SIEM)
systems, Network
Access Control (NAC) systems or Vulnerability Assessment Tools
because these
tools are time-consuming, companies
don’t have security staff and
IT engineers never have enough time to
configure properly these tools. Therefore,
security tools tuning such as firewall policies tuning is most of the
time difficult to accomplish.

When
I talk about Policy Tuning and
Violation,
for
instance, for a WAF deployment, I’m
talking about choosing
the right learning mode, defining learning suggestions, defining the
Learn, Alarm and Block settings or defining the Enforcement Readiness
Period. Next,
we can watch how I create a negative security policy based on Rapid
Deployment Policy (RDP)
and I accept learning suggestions for false positive as well as I
block XSS attacks. A
negative security policy configuration like this should be the first
phase in a WAF deployment.

Once
we are protecting web applications with a negative security policy,
we should take the plunge to a positive security policy. This will be
more difficult because we need the developers participation. What’s
mean, developers have to know what entities are
used by applications.
For instance, we have to know about file types, URLs redirections,
cookies, static and dynamic parameters, etc, etc. Therefore,
negative security policy along with positive security policy will be
a real protection for your web services.

Regards
my friends. Drop
a line with the first thing you are thinking.